Eu preciso implantar o NFSv4 com autenticação Kerberos em um ambiente existente do AD, no entanto, isso deve ser feito sem fazer nenhuma alteração no KDC ...
Então imaginei que precisaria reutilizar as credenciais do host para autenticar os servidores. No entanto, não parece estar funcionando e eu simplesmente não consigo descobrir o porquê.
Estou trabalhando com o CentOS 6. Estamos usando o Kerberos + LDAP com vários outros serviços (SSH via PAM, OpenAFS, ...).
Por uma questão de simplicidade, a mesma máquina desempenha o papel tanto do cliente quanto do servidor por enquanto.
Então, minha configuração parece:
/ etc / sysconfig / nfs:
SECURE_NFS="yes"
RPCGSSDARGS="-vvvvvvv"
RPCSVCGSSDARGS="-n -vvvvv -rrrrr -iiiiii"
A parte importante aqui é a opção "-n" passada para rpc.svcgssd (na página manpage: "Use as credenciais padrão do sistema (host / FQDN @ REALM) em vez do padrão nfs / FQDN @ REALM.")
No /etc/idmapd.conf eu tenho:
[General]
Verbosity = 3
Domain = mycompany.com
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
No /etc/krb5.conf eu peguei:
[libdefaults]
default_realm = MYCOMPANY.COM
ticket_lifetime = 25h
renew_lifetime = 120h
forwardable = true
proxiable = true
default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
allow_weak_crypto = true
chpw_prompt = true
[realms]
MYCOMPANY.COM = {
default_domain = mycompany.com
kpasswd_server = dc.mycompany.com
admin_server = dc.mycompany.com
kdc = dc.mycompany.com
v4_name_convert = {
host = {
rcmd = host
}
}
}
[domain_realm]
.mycompany.com = MYCOMPANY.COM
[appdefaults]
pkinit_pool = DIR:/etc/pki/tls/certs/
pkinit_anchors = DIR:/etc/pki/tls/certs/
pam = {
external = true
krb4_convert = false
krb4_convert_524 = false
krb4_use_as_req = false
ticket_lifetime = 25h
use_shmem = sshd
}
Em / etc / exports:
/exports *(rw,async,no_root_squash,insecure,no_subtree_check,fsid=0,sec=krb5)
/exports/data *(rw,async,no_root_squash,insecure,no_subtree_check,nohide,sec=krb5)
Agora, se eu tentar montar esse compartilhamento NFS executando
mount -vvvv -t nfs4 -o rw,sec=krb5 nfs-srv-1:/ /mnt
como root, eu tenho:
mount: fstab path: "/etc/fstab"
mount: mtab path: "/etc/mtab"
mount: lock path: "/etc/mtab~"
mount: temp path: "/etc/mtab.tmp"
mount: UID: 0
mount: eUID: 0
mount: spec: "nfs-srv-1:/"
mount: node: "/mnt"
mount: types: "nfs4"
mount: opts: "rw,sec=krb5"
final mount options: 'sec=krb5'
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "nfs-srv-1:/"
mount: external mount: argv[2] = "/mnt"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5"
mount.nfs4: timeout set for Thu Sep 3 15:19:19 2015
mount.nfs4: trying text-based options 'sec=krb5,addr=xxx.xxx.xx.xxx,clientaddr=xxx.xxx.xx.xxx'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nfs-srv-1:/
e nos registros:
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8b)
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8b)
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: process_krb5_upcall: service is '<null>'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for [email protected] while getting keytab entry for '[email protected]'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for nfs/[email protected] while getting keytab entry for 'nfs/[email protected]'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Success getting keytab entry for 'host/[email protected]'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using FILE:/tmp/krb5cc_machine_MYCOMPANY.COM as credentials cache for machine creds
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context using fsuid 0 (save_uid 0)
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating tcp client for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: DEBUG: port already set to 2049
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context with server [email protected]
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for [email protected] while getting keytab entry for '[email protected]'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for nfs/[email protected] while getting keytab entry for 'nfs/[email protected]'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Success getting keytab entry for 'host/[email protected]'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using FILE:/tmp/krb5cc_machine_MYCOMPANY.COM as credentials cache for machine creds
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context using fsuid 0 (save_uid 0)
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating tcp client for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: DEBUG: port already set to 2049
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context with server [email protected]
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with any credentials cache for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: doing error downcall
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8c
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8b
Conteúdo do cache do ticket (para uma execução posterior, ignore os timestamps pls ...):
Ticket cache: FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Default principal: host/[email protected]
Valid starting Expires Service principal
09/04/15 10:34:34 09/05/15 11:34:34 krbtgt/[email protected]
renew until 09/09/15 10:34:34
Parece que ele encontra minhas credenciais de host, mas falha ao inicializar o contexto do Kerberos 5. Eu não tenho ideia do que fazer com isso, você poderia me ajudar?
Deixe-me saber se você precisar de mais detalhes.
Agradecemos antecipadamente.